Enclave pool management
US-2018330079-A1 · Nov 15, 2018 · US
Securely transferring computation in a disaggregated environment using a processor group key
US11017103B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11017103-B2 |
| Application number | US-201816204463-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 29, 2018 |
| Priority date | Nov 29, 2018 |
| Publication date | May 25, 2021 |
| Grant date | May 25, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A group of processors in a processor pool comprise a secure “enclave” in which user code is executable and user data is readable solely with the enclave. This is facilitated through the key management scheme described that includes two sets of key-pairs, namely: a processor group key-pair, and a separate user key-pair (typically one per-user, although a user may have multiple such key-pairs). The processor group key-pair is associated with all (or some define subset of) the processors in the group. This key-pair is used to securely communicate a user private key among the processors. The user private key, however, is not transmitted to non-members of the group. Further, preferably the user private key is refreshed periodically or upon any membership change (in the group) to ensure that non-members or ex-members cannot decipher the encrypted user key.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method to securely transfer computation in a disaggregated compute environment comprising a set of resource pools including a secure processor pool, comprising: associating a set of processors drawn from the secure processor pool as an enclave; associating a first key-pair with each of the set of processors in the enclave, the first key-pair including a private key that is shared by the each of the processors, the private key having an associated public key; receiving user code and data within a first processor in the enclave, the user code and data being secured by a second key-pair uniquely associated with a user, the second key-pair including a decipher key; in association with a transfer of the user code and data from a first processor in the enclave to a second processor in the enclave that shares the first key-pair, encrypting the decipher key using the private key and passing the encrypted decipher key from the first processor to the second processor; adjusting a membership of the set of processors in the enclave, wherein adjusting the membership includes: determining whether a new processor has an authorization to join the enclave; and when the new processor has the authorization, associating the new processor to the set of processors in the enclave; and refreshing the first key-pair following association of the new processor to the set of processors. 2. The method of claim 1 , further including securely transferring the user code and data from the second processor boa processor outside the enclave. 3. The method of claim 1 , wherein adjusting the membership includes removing a processor from the set of processors in the enclave and returning the removed processor to the secure processor pool. 4. The method of claim 1 , further including executing the user code in the enclave, wherein the user code is executed by decrypting the encrypted decipher key using the public key to recover the decipher key, and then applying the decipher key to decrypt the user code. 5. A system to securely transfer computation in a disaggregated compute environment comprising a set of resource pools including a secure processor pool, comprising: one or more hardware processors; computer memory holding computer program instructions executed by the hardware processors and operative to: associate a set of processors drawn from the secure processor pool as an enclave; associate a first key-pair with each of the set of processors in the enclave, the first key-pair including a private key that is shared by the each of the processors, the private key having an associated public key; receive user code and data within a first processor in the enclave, the user code and data being secured by a second key-pair uniquely associated with a user, the second key-pair including a decipher key; in association with a transfer of the user code and data from a first processor in the enclave to a second processor in the enclave that shares the first key-pair, encrypt the decipher key using the private key and passing the encrypted decipher key from the first processor to the second processor; adjust a membership of the set of processors in the enclave, wherein adjusting the membership includes: determining whether a new processor has an authorization to join the enclave; and when the new processor has the authorization, associating the new processor to the set of processors in the enclave; and refresh the first key-pair following association of the new processor to the set of processors. 6. The system of claim 5 , wherein the computer program instructions are further operative to securely transfer the user code and data from the second processor to a processor outside the enclave. 7. The system of claim 5 , wherein the computer program instructions to adjust the membership includes program code operative to remove a processor from the set of processors in the enclave and return the removed processor to the secure processor pool. 8. The system of claim 5 , wherein the computer program instructions are further operative to execute the user code in the enclave, wherein the user code is executed by decrypting the encrypted decipher key using the public key to recover the decipher key, and then applying the decipher key to decrypt the user code. 9. A computer program product in a non-transitory computer readable medium for use in a data processing system to securely transfer computation in a disaggregated compute environment comprising a set of resource pools including a secure processor pool, the computer program product comprising computer program instructions operative to: associate a set of processors drawn from the secure processor pool as an enclave; associate a first key-pair with each of the set of processors in the enclave, the first key-pair including a private key that is shared by the each of the processors, the private key having an associated public key; receive user code and data within a first processor in the enclave, the user code and data being secured by a second key-pair uniquely associated with a user, the second key-pair including a decipher key; in association with a transfer of the user code and data from a first processor in the enclave to a second processor in the enclave that shares the first key-pair, encrypt the decipher key using the private key and passing the encrypted decipher key from the first processor to the second processor; adjust a membership of the set of processors in the enclave, wherein adjusting the membership includes: determining whether a new processor has an authorization to loin the enclave; and when the new processor has the authorization, associating the new processor to the set of processors in the enclave; and refresh the first key-pair following association of the new processor to the set of processors. 10. The computer program product of claim 9 , wherein the computer program instructions are further operative to securely transfer the user code and data from the second processor boa processor outside the enclave. 11. The computer program product of claim 9 , wherein the computer program instructions to adjust the membership includes program code operative to remove a processor from the set of processors in the enclave and return the removed processor to the secure processor pool. 12. The computer program product of claim 9 , wherein the computer program instructions are further operative to execute the user code in the enclave, wherein the user code is executed by decrypting the encrypted decipher key using the public key to recover the decipher key, and then applying the decipher key to decrypt the user code.
Assignees
Inventors
Classifications
Restricted operating environment · CPC title
Secure multiparty computation, e.g. millionaire problem · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
Countermeasures against attacks on cryptographic mechanisms (network architectures or network communication protocols for protection against malicious traffic H04L63/1441) · CPC title
using key encryption key · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11017103B2 cover?
- A group of processors in a processor pool comprise a secure “enclave” in which user code is executable and user data is readable solely with the enclave. This is facilitated through the key management scheme described that includes two sets of key-pairs, namely: a processor group key-pair, and a separate user key-pair (typically one per-user, although a user may have multiple such key-pairs). T…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification G06F21/606. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue May 25 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).